How to Export and Install an SSL Certificate for StoreFront to Use HTTPS

This article explains how to export your existing SSL certificate, import the certificate to another StoreFront server, bind the certificate to Internet Information Services IIS, and configure StoreFront for HTTPS connections. This article assumes the following typical scenarios: You have created...

USN-3048-1: curl vulnerabilities

Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. CVE-2016-5419 It was discovered that curl incorrectly handled client certificates when reusing TLS connections. CVE-2016-5420 Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly...

Proxy auto-config (PAC) files have access to full HTTPS URLs

Overview Web proxy auto-config PAC files are passed the full HTTPS URL in GET requests which may expose sensitive data. Description CWE-212: Improper Cross-boundary Removal of Sensitive Data - CVE-2016-5134 Google, CVE-2016-1801 AppleWeb proxy auto-configuration files proxy.pac have access to the...

Hardcoded credentials

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 use a hardcoded 0xb9eed4d955a59eb3 X.509 certificate from an OpenSSL Test Certification Authority, which makes it easier for remote attackers to conduct man-in-the-middle attacks against HTTPS sessions by leveraging th...

CVE-2016-5669

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 use a hardcoded 0xb9eed4d955a59eb3 X.509 certificate from an OpenSSL Test Certification Authority, which makes it easier for remote attackers to conduct man-in-the-middle attacks against HTTPS sessions by leveraging th...

Google Adds New Layer of Security to Domain: Adds HSTS

Google is adding HTTP Strict Transport Security or HSTS to the Google.com domain, an extra layer of protection that prevents visitors from using a less secure HTTP connection. By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the more secure HTTPS...

New HTTPS URL Leakage Attack Leaves PCs, Macs, Linux Systems Vulnerable

LAS VEGAS — Researchers have found flaws in the Web Proxy AutoDiscovery protocol tied to DHCP and DNS servers that allow hackers spy on HTTPS-protected URLs and launch a myriad of different malicious attacks against Linux, Windows or Mac computers. According to the security firm SafeBreach, this...

CVE-2016-5132

The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME...

CVE-2016-5137

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy CSP implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs,...

Oracle Database Multiple Vulnerabilities (July 2016 CPU) (FREAK)

The remote Oracle Database Server is missing the July 2016 Critical Patch Update CPU. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK Factoring attack on RSA-EXPORT Keys, exists in the RDBMS HTTPS Listener package due to the suppo...

Moodle 2.0.x < 2.0.10 Multiple Vulnerabilities

Binary data 9403.prm...

Axis Communications MPQTPACS 5.20.x - Server-Side Include Daemon Remote Format String

Axis Communications MPQTPACS 5.20.x - Server-Side Include Daemon Remote Format String !/usr/bin/env python2.7 SOF Remote Format String Exploit Axis Communications MPQT/PACS Server Side Include SSI Daemon Research and development by bashis 2016 This format string vulnerability has following...

Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String

!/usr/bin/env python2.7 SOF Remote Format String Exploit Axis Communications MPQT/PACS Server Side Include SSI Daemon Research and development by bashis 2016 This format string vulnerability has following characteristic: - Heap Based Exploiting string located on the heap - Blind Attack No output...

Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String

Exploit for multiple platform in category remote exploits !/usr/bin/env python2.7 SOF Remote Format String Exploit Axis Communications MPQT/PACS Server Side Include SSI Daemon Research and development by bashis 2016 This format string vulnerability has following characteristic: - Heap Based...

Axis Communications MPQT/PACS SSI Remote Format String / Code Execution

!/usr/bin/env python2.7 SOF Remote Format String Exploit Axis Communications MPQT/PACS Server Side Include SSI Daemon Research and development by bashis 2016 This format string vulnerability has following characteristic: - Heap Based Exploiting string located on the heap - Blind Attack No output...

Fedora 23 : phpMyAdmin (2016-55261b6815)

phpMyAdmin 4.6.2 2016-05-25 ============================= - security User SQL queries can be revealed through URL GET parameters, see PMASA-2016-14 - security Self XSS vulneratbility, see PMASA-2016-16 - Use https for documentation links - Fix schema export with too many tables - Avoid parsing no...

Fedora 24 : phpMyAdmin (2016-e3240782ec)

phpMyAdmin 4.6.2 2016-05-25 ============================= - security User SQL queries can be revealed through URL GET parameters, see PMASA-2016-14 - security Self XSS vulneratbility, see PMASA-2016-16 - Use https for documentation links - Fix schema export with too many tables - Avoid parsing no...

QIWI: Xss on billing

При нажатии "Вернуться на сайт" вызывается javascript:alert F104691 - href vulnerable https://bill.qiwi.com/order/external/success.action?comm=test&from=6045&to=&successUrl=javascript%3Aalert1//&order=747156761&phone=79051564213 Уязвимое поля: successUrl, failUrl Как пофиксить: Сделать фильтр и...

Design/Logic Flaw

The HTTPS server in Blue Coat PacketShaper S-Series 11.5.x before 11.5.3.2 might allow remote attackers to obtain sensitive credentials and other information via unspecified vectors, related to use of insecure cryptographic parameters...

CVE-2016-5774

CVE-2016-5774 affects Blue Coat PacketShaper S-Series: the HTTPS server in 11.5.x before 11.5.3.2 uses insecure cryptographic parameters, enabling a remote attacker to obtain credentials and other sensitive information via management interfaces. Affected product: PacketShaper S-Series 11.5.x (bef...